2677d20677
Syzbot reported the use-after-free in timer_is_static_object() [1].
This can happen because the structure for the rto timer (ccid2_hc_tx_sock)
is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be
called after that.
The report [1] is similar to the one in commit
|
||
---|---|---|
.. | ||
ccids | ||
Kconfig | ||
Makefile | ||
ackvec.c | ||
ackvec.h | ||
ccid.c | ||
ccid.h | ||
dccp.h | ||
diag.c | ||
feat.c | ||
feat.h | ||
input.c | ||
ipv4.c | ||
ipv6.c | ||
ipv6.h | ||
minisocks.c | ||
options.c | ||
output.c | ||
proto.c | ||
qpolicy.c | ||
sysctl.c | ||
timer.c | ||
trace.h |